Grafana — свободная программная система визуализации данных, ориентированная на данные систем ИТ-мониторинга.
Релизный цикл, информация об уязвимостях
График релизов
Количество 391
CVE-2025-4123
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
BDU:2025-06002
Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с ошибками разграничения доступа, позволяющая нарушителю нарушить работу программы
CVE-2025-4123
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
BDU:2025-06809
Уязвимость компонента Custom Frontend Plugin платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)
GHSA-66c4-2g2v-54qw
Grafana org admin can delete pending invites in different org
CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of.
CVE-2024-10452
Organization admins can delete pending invites created in an organizat ...
CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of.
CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of.
BDU:2025-01981
Уязвимость веб-инструмента представления данных Grafana, связанная с обходом авторизации с помощью ключа, контролируемого пользователем, позволяющая нарушителю оказать влияние на целостность защищаемой информации
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2025-4123 A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. | CVSS3: 7.6 | 6% Низкий | 5 месяцев назад |
 | BDU:2025-06002 Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с ошибками разграничения доступа, позволяющая нарушителю нарушить работу программы | CVSS3: 7.2 | 0% Низкий | 6 месяцев назад |
 | CVE-2025-4123 A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. | CVSS3: 7.6 | 6% Низкий | 6 месяцев назад |
| BDU:2025-06809 Уязвимость компонента Custom Frontend Plugin платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS) | CVSS3: 7.6 | 6% Низкий | 6 месяцев назад |
| GHSA-66c4-2g2v-54qw Grafana org admin can delete pending invites in different org | CVSS3: 2.2 | 0% Низкий | около 1 года назад |
 | CVE-2024-10452 Organization admins can delete pending invites created in an organization they are not part of. | CVSS3: 2.2 | 0% Низкий | около 1 года назад |
| CVE-2024-10452 Organization admins can delete pending invites created in an organizat ... | CVSS3: 2.2 | 0% Низкий | около 1 года назад |
| CVE-2024-10452 Organization admins can delete pending invites created in an organization they are not part of. | CVSS3: 2.2 | 0% Низкий | около 1 года назад |
| CVE-2024-10452 Organization admins can delete pending invites created in an organization they are not part of. | CVSS3: 2.2 | 0% Низкий | около 1 года назад |
| BDU:2025-01981 Уязвимость веб-инструмента представления данных Grafana, связанная с обходом авторизации с помощью ключа, контролируемого пользователем, позволяющая нарушителю оказать влияние на целостность защищаемой информации | CVSS3: 2.7 | 0% Низкий | около 1 года назад |
Уязвимостей на страницу